This article, The Compliance Cop-Out,caught my eye recently. Bob Bragdon, publisher of CSO Magazine, believes that CSO’s are copping out by using regulatory compliance as the justification for security spending. Numerous recent surveys support this. And with virtually every security vendor attaching the “C” word to their products, I have to agree with him. Both the supply side and the buy side of the security industry seem in agreement here, that positioning security technologies as “silver bullets” for complianceis a good thing.
But is this really good for the enterprise’s security posture? As Bob points out, doing a comprehensive assessment of risk, and mitigating risk based upon the results of that assessment is a better approach- one that is more likely to lead to the most serious risks being addressed in the right order, to achieve the best effect in terms of protection and reduced risk. Done right, risk management and compliance can co-exist quite well, with controls mapped to multiple regulations, and with the outputs of the risk management process identifying where the organization is in compliance, and where there are gaps.
I came across several items recently that (taken together) confirm my belief that the privacy breaches we have seen here in the US are just the tip of the iceberg. First, a UK news outlet did an undercover investigation of outsourcers in India, the IT Compliance Institute has a brief summary here. And a news story on the investigation is here.
The findings are pretty frightening- security is so lax at many of the call centers in India that a black market for identity data is apparently flourishing there. Companies affected that are mentioned in the investigation include some large financials, Barclays and HSBC. Couple this with some findings in a CSO Magazine article that show Indian IT organizations lagging behind their US counterparts in adoption of every key security practice. The takeaway from this is that if you are an organization outsourcing business processes to India (or anywhere really), you need to carefully assess risks inherited from your service provider. You need to understand which of your service providers are storing sensitive data (EPHI, NPI) on your behalf, and what security controls they have in place. And if you are responsible for IT security and are not on top of this in your organization, you need to get on top the risk management for vendors situation quickly.
Jim